Technical Tip: FortiAnalyzer reports show the same users twice (name in upper case and lower case)
Description
This article describes how, when a FortiGate is set to require authentication, it may use two methods to authenticate: LDAP and FSAE.
The behavior is different depending on the method used and this will cause the FortiAnalyzer to have two different log entries for the same user (one with upper case names and one, for the same user, but written in lower case).
Reports will show the same user as represented by two different ones. This is because the FortiAnalyzer filter is case sensitive and it will treat names differently if FortiGate is reporting as lower case.
Scope
FortiGate.
Solution
This is resolved on the FortiGate in 4.0 MR1 with the addition of a new command on the CLI to allow ALL users logged to be in upper case. This is useful when the same servers are shared for LDAP and FSAE.
This allows FortiAnalyzer to ensure that the same user whether it's LDAP or FSAE is represented as a single one in reports.
This allows FortiAnalyzer to ensure that the same user whether it's LDAP or FSAE is represented as a single one in reports.
Example: Instead of 'Joe' and 'JOE', only 'JOE' will be logged.
The following settings can be used to enable/disable uppercase:
config log setting
set log-user-in-upper disable
end